Analysis Date2015-01-20 20:40:52
MD52ec4dc05e97c207e67462ef85a670382
SHA1993bdffd4b2c32f01304170ce8de979a190ec31d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 856b32eb77dfd6fb67f21d6543272da5 sha1: 6597c511c2ee72f68f5246460f0683dae16dcade size: 24064
Section.rdata md5: dc77f8a1e6985a4361c55642680ddb4f sha1: 3d397ee25b2dd83ab741c67375880151cae94ed8 size: 5120
Section.data md5: 7922d4ce117d7d5b3ac2cffe4b0b5e4f sha1: 4e56bb1994226ae0285c7adee470777262de2c99 size: 1024
Section.ndata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: 93b5c39fa0cc31f2114d5b587ba0c84c sha1: a594dac037355aa5f30cb9dec3afe7278b7c46ba size: 142336
Timestamp2009-12-05 22:50:52
PackerNullsoft PiMP Stub -> SFX
PEhashd985ab3cea1187260181471633cf3074082a7791
IMPhash7fa974366048f9c551ef45714595665e
AV360 Safeno_virus
AVAd-Awareno_virus
AVAlwil (avast)Dropper-gen [Drp]
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)no_virus
AVBullGuardno_virus
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftno_virus
AVEset (nod32)NSIS/TrojanDownloader.Chindo.E
AVFortinetW32/Chindo.B!tr.dldr
AVFrisk (f-prot)no_virus
AVF-Secureno_virus
AVGrisoft (avg)no_virus
AVIkarusno_virus
AVK7no_virus
AVKasperskyHEUR:Downloader.NSIS.Feasu.heur
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)no_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\GoldSoft\uninst.lnk
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsd2.tmp\i.rar
Creates File\Device\Afd\Endpoint
Creates FileC:\Program Files\GoldSoft\Uninstall.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsd2.tmp\NSISdl.dll
Creates FilePIPE\srvsvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsd2.tmp\3.ico
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsd2.tmp\nsProcess.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsd2.tmp\2.ico
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsd2.tmp\System.dll
Creates FileC:\Documents and Settings\Administrator\Desktop\Intrenet Explorer.lnk
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsd2.tmp\Inetc.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsd2.tmp\NSISdl.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsd2.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsd2.tmp\3.ico
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nss1.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsd2.tmp\2.ico
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsd2.tmp\System.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsd2.tmp\i.rar
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsd2.tmp\Inetc.dll
Creates Process
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexGoldSoft
Winsock DNSpconline.org.cn

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates MutexWininetConnectionMutex
Creates Mutex_SHuassist.mtx
Creates MutexShell.CMruPidlList

Process
↳ Pid 0

Network Details:

DNSint.dpool.sina.com.cn
Type: A
180.149.136.250
DNSpconline.org.cn
Type: A
222.186.60.69
DNSpconline.org.cn
Type: A
222.186.60.70
DNSpconline.org.cn
Type: A
222.186.60.2
DNSpconline.org.cn
Type: A
222.186.60.68
HTTP GEThttp://int.dpool.sina.com.cn/iplookup/iplookup.php
User-Agent: NSISDL/1.2 (Mozilla)
HTTP GEThttp://pconline.org.cn/2.ico
User-Agent: NSIS_Inetc (Mozilla)
Flows TCP192.168.1.1:1031 ➝ 180.149.136.250:80
Flows TCP192.168.1.1:1032 ➝ 222.186.60.69:80

Raw Pcap
0x00000000 (00000)   47455420 2f69706c 6f6f6b75 702f6970   GET /iplookup/ip
0x00000010 (00016)   6c6f6f6b 75702e70 68702048 5454502f   lookup.php HTTP/
0x00000020 (00032)   312e300d 0a486f73 743a2069 6e742e64   1.0..Host: int.d
0x00000030 (00048)   706f6f6c 2e73696e 612e636f 6d2e636e   pool.sina.com.cn
0x00000040 (00064)   0d0a5573 65722d41 67656e74 3a204e53   ..User-Agent: NS
0x00000050 (00080)   4953444c 2f312e32 20284d6f 7a696c6c   ISDL/1.2 (Mozill
0x00000060 (00096)   61290d0a 41636365 70743a20 2a2f2a0d   a)..Accept: */*.
0x00000070 (00112)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f322e69 636f2048 5454502f   GET /2.ico HTTP/
0x00000010 (00016)   312e310d 0a557365 722d4167 656e743a   1.1..User-Agent:
0x00000020 (00032)   204e5349 535f496e 65746320 284d6f7a    NSIS_Inetc (Moz
0x00000030 (00048)   696c6c61 290d0a48 6f73743a 2070636f   illa)..Host: pco
0x00000040 (00064)   6e6c696e 652e6f72 672e636e 0d0a436f   nline.org.cn..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a204b65 65702d41   nnection: Keep-A
0x00000060 (00096)   6c697665 0d0a4361 6368652d 436f6e74   live..Cache-Cont
0x00000070 (00112)   726f6c3a 206e6f2d 63616368 650d0a0d   rol: no-cache...
0x00000080 (00128)   0a                                    .


Strings
 " ".E
.
.
..
..
!1Aa
#+3;CScs
msctls_progress32
MS Shell Dlg
Please wait while Setup is loading...
SysListView32
({,{<{*;
[_]!|?]
*?|<>/":
0;) hul
0Kr55|
0RV0ff'
1AH@7t
}2dE"&
3$B[SA
46cY2L
4MO:In
4|x.hx'
5`eX3S
5[uV$r>
|6K`3"K
(6L#jhA
6n6>n|
&6n	=x
#7F/Jj?2h
[7|P J
7=Pk!p
8&3><%/
8G`	Y>
8NCRCu
@9y$+ig:
<A]Ay*
AdjustTokenPrivileges
a`ds&2U
ADVAPI32
ADVAPI32.dll
A>n$2u
A^nZU=*n
AppendMenuA
AZLA`S/
B|6>#c#
`BC4k:
BeginPaint
Bkl#',
$b!q!V
bzUX?S
C2a2N2q
CallWindowProcA
caWa|.
CharNextA
CharPrevA
CheckDlgButton
cjA>'s
CloseClipboard
CloseHandle
[ cN*/
CoCreateInstance
COMCTL32.dll
CompareFileTime
Control Panel\Desktop\ResourceLocale
CopyFileA
CoTaskMemFree
cPULnJ
CreateBrushIndirect
CreateDialogParamA
CreateDirectoryA
CreateFileA
CreateFontIndirectA
CreatePopupMenu
CreateProcessA
CreateThread
CreateWindowExA
... %d%%
D$0+D$(P
@.data
D$(+D$ SSP
.DEFAULT\Control Panel\International
DefWindowProcA
DeleteFileA
DeleteObject
DestroyWindow
DialogBoxParamA
DispatchMessageA
D$$Ph,
DrawTextA
D$(SPS
EmodvfE
EmptyClipboard
EnableMenuItem
EnableWindow
EndDialog
EndPaint
Error launching installer
Error writing temporary file. Make sure your temp folder is valid.
etf#5n
e%uy%u
ExitProcess
ExitWindowsEx
ExpandEnvironmentStringsA
#f|7.l
FCph(g
FillRect
FindClose
FindFirstFileA
FindNextFileA
FindWindowExA
FreeLibrary
F>YLr=
g1W+_?ivi
GDI32.dll
GetClassInfoA
GetClientRect
GetCommandLineA
GetCurrentProcess
GetDeviceCaps
GetDiskFreeSpaceA
GetDiskFreeSpaceExA
GetDlgItem
GetDlgItemTextA
GetExitCodeProcess
GetFileAttributesA
GetFileSize
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetFullPathNameA
GetLastError
GetMessagePos
GetModuleFileNameA
GetModuleHandleA
GetPrivateProfileStringA
GetProcAddress
GetShortPathNameA
GetSysColor
GetSystemDirectoryA
GetSystemMenu
GetSystemMetrics
GetTempFileNameA
GetTempPathA
GetTickCount
GetUserDefaultUILanguage
GetVersion
GetWindowLongA
GetWindowRect
GetWindowsDirectoryA
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
%,GNw%
gX>uMQ
g.ZO||k[
H$:KEg
!hkr>0} 
H@O2#;Q
hRp\!(
http://nsis.sf.net/NSIS_Error
HtVHtHH
:>ibdP=
IDATkV
ij &3<x
ij9H3K$ s
ImageList_AddMasked
ImageList_Create
ImageList_Destroy
incomplete download and damaged media. Contact the
Installer integrity check has failed. Common causes include
installer's author to obtain a new copy.
Instu`
InvalidateRect
iomprOA
:`i"Re
iRichu
IsWindow
IsWindowEnabled
IsWindowVisible
ix(y!9
IY]Rfv
^\,i@zQQ
"+)j	`
[j>7_e
|jELyO
:Jev	-
j%Qx*Q
JU=Jor
*KCK+Ja
KC}KK+o
KERNEL32
KERNEL32.dll
K/=)??_Pvv
kV7V65
kZ{:@l*
Kz)P(=YXE
L[8M4q
LoadBitmapA
LoadCursorA
LoadImageA
LoadLibraryA
LoadLibraryExA
LookupPrivilegeValueA
l`r$D0b
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpynA
lstrlenA
m`Bj*Lz
MessageBoxIndirectA
/m=GKn
\Microsoft\Internet Explorer\Quick Launch
More information at:
MoveFileA
MoveFileExA
"mtE(S
MulDiv
MultiByteToWideChar
:"|n0$
N]]-0:
%n\1}ZE
.ndata
/"n"n#
)NPTt,
NSIS Error
~nsu.tmp
NullsoftInst
NulluN	E
NWV:U1}{Fh
nXG?@0
O(G1!N{
ole32.dll
OleInitialize
OleUninitialize
"~oM'c
OpenClipboard
OpenProcessToken
p9wbmX
p%cl)n
PeekMessageA
pHE	St
PostQuitMessage
PPPPPP
Q`0dH#
	qb|gP
QP\X\Z
QqAl5R\
`.rdata
-?/rE'4
ReadFile
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyExA
RegDeleteValueA
RegEnumKeyA
RegEnumValueA
RegisterClassA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
RemoveDirectoryA
[Rename]
RichEd20
RichEd32
RichEdit
RichEdit20A
\RkV$j4
'}r%PG^A
r|TH&a
=R.t[o#l
:)s0zq}
,_ s6]
/s|cmg
ScreenToClient
SearchPathA
SelectObject
SendMessageA
SendMessageTimeoutA
SeShutdownPrivilege
SetBkColor
SetBkMode
SetClassLongA
SetClipboardData
SetCurrentDirectoryA
SetCursor
SetDlgItemTextA
SetErrorMode
SetFileAttributesA
SetFilePointer
SetFileTime
SetForegroundWindow
SetTextColor
SetTimer
SetWindowLongA
SetWindowPos
SetWindowTextA
sgEWVeV
SHAutoComplete
SHBrowseForFolderA
SHELL32.dll
ShellExecuteA
SHFileOperationA
SHFOLDER
SHGetFileInfoA
SHGetFolderPathA
SHGetPathFromIDListA
SHGetSpecialFolderLocation
SHLWAPI
ShowWindow
S$'_l1g
softuW
Software\Microsoft\Windows\CurrentVersion
SQSSSPW
s?[s_##
S-yD4	
SystemParametersInfoA
> _?=t
|=/t,'
t)ANz<n
Tc/7c>I
!This program cannot be run in DOS mode.
_^[t	P
TrackPopupMenu
tXTi#Gg
"Uf8^3>
u'$	hrX_
:~:Ui@
U-q#6n
*UR-Pc
USER32.dll
utnm2z-
%u.%u%s%s
U*#Yy^
verifying installer: %d%%
VerQueryValueA
VERSION.dll
%ve^Xm
VhusA3
V.S6)[
V:SSLOO
VTz;qP
v#Vh;+@
vx6S8j7{
w98?g8~;
WaitForSingleObject
)w})G{
WiZURs
\wn~^a
WriteFile
WritePrivateProfileStringA
wsprintfA
=x0wZEa
X8MJ~ I
X?\AYv
,[, Xb
X`hDJ	
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>
^X$t)t+ulQ
yd^	d (
yg[4M-0
YLf5a 
ynzfiaV
y|W>0q
:y  x e
\`z^I~
#%#.zpY
-Zqh%-